1. Field of the Invention
This invention relates to the field of information network security, and more particularly to a method and system for the assignment of security group information to network traffic by a proxy for the source of the traffic.
2. Description of the Related Art
Flexible network access technologies such as wireless, Dynamic Host Configuration Protocol (DHCP), virtual private network (VPN) gateways and the like allow users access to a given protected network from a variety of access or entry points. This is true of all manner of networks, including enterprise networks, service provider networks and the like. As will be appreciated, increased mobility and ease-of-access are very desirable qualities in today's compute-intensive business climate.
At the same time, the security afforded while providing such access is of increasing concern. Therefore, technologies based on Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System (TACACS) and other protocols are employed to allow a user, device or other network entity to be authenticated upon entry into the network. Such technologies thus support the authentication of, authorization of, and accounting for (AAA) network entities desiring admittance to the network, which is a model for access control. The function of authentication allows a network entity to prove their identity (i.e., they are who they represent themselves to be). Thus, authentication answers the question: Who is this network entity? The function of authorization allows a network administrator or other person/network entity having the proper authority, to define what other network entities are allowed (and not allowed) to do. Thus, authorization answers the question: What is this network entity authorized to do? The function of accounting is to keep track of what a network entity does. Thus, accounting answers the question: What did the network entity in question do while having access to the network?
As is known, communications paths across such networks are conceptually separate (e.g., can be viewed as separate virtual paths), although they may traverse some or all of the same network devices (i.e., physical segments), and so are often controlled separately using some manner of access control mechanism. Conventionally, constraints upon access enjoyed by network entities are enforced by such access control mechanisms, which are often configured to process packets and so control such network entities' network traffic.
However, certain network devices may not support processing of the access information needed to implement certain security paradigms. While such devices, sometimes referred to as legacy devices, are often amenable to having their hardware upgraded, such hardware upgrades are both costly and logistically challenging, particularly when an enterprise might have hundreds or thousands of such network devices that would need to be upgraded. Alternatively, an upgrade to support the necessary processing might be effected in software (i.e., a software upgrade). Unfortunately, performing all such processing in software can often result in unacceptably high resource requirements, processing being slowed to unacceptable levels and/or other untenable consequences.
What is required, then, is a mechanism that allows for the gradual introduction of security upgrades, without necessitating upgraded hardware in the network device being upgraded, nor the upgrade's implementation completely in software. Preferably, such an approach should be compatible with existing technology, as well as future upgrades to that technology, thus reducing or eliminating the problem of integrating the technology existing or future network devices or networks. Also preferably, such an approach should allow the network to be easily reconfigured and grow, without incurring a disproportionate administrative burden or consuming inordinately large amounts of network resources. Such an approach should also minimize the amount of unnecessary network traffic.
The use of the same reference symbols in different drawings indicates similar or identical items.